What is a Compliance Risk Assessment?

A Compliance Risk Assessment is a process which identifies the major inherent risks within a bank’s business lines and factors in all the internal controls employed by your financial institution to control and/or mitigate the identified risks.  What remains after the internal controls is the residual risk the business lines pose to your financial institution.

Why should a financial institution prepare a Compliance Risk Assessment?
A financial institution needs to be proactive in identifying areas which may present significant risk to the institution.  Some areas to consider are:

• What is the likelihood the financial institution may violate laws and regulations?
• Where are controls required and needed to mitigate these risks?
• How does the institution best utilize the limited time and resources allocated to compliance?

Components of a Compliance Risk Assessment

The risk assessment should first include an analysis of the types of activities your institution participates in, and the products and services the institution provides to its customers, the physical locations of it branch offices and the stability of its customer base. These factors and activities are known as “Inherent Risk”.  Next review the risk controls your institution has in place to mitigate and control these risks.  What remains is the “Residual Risk”.

Inherent Risk vs. Residual Risk

What is inherent risk?  Inherent risk is the risk of error if there were absolutely no mitigating controls in place.  What is residual risk? Residual risk is the level of risk present after effective controls such as policies, procedures, and secondary reviews are accounted for.  The residual risk is where your financial institution should focus its compliance time and resources.

Risk Rating Systems

No regulatory requirements exist which require your institution to use a particular risk rating system.  Make sure whatever risk rating system your institution utilizes enables conclusions to be consistent and based on logical rationale.

Mitigating Inherent Risk – The Controls

Controls are implemented to perform a function that mitigates or reduces identified inherent risks. The controls may be automated or manual.  The controls should be preventive, not detective, and designed to operate in an effective manner and are integrated within all business lines.

How do you evaluate your internal controls?
In evaluating your financial institution’s internal controls, here are some things to consider:

• Are the controls designed effectively?
• What specific business lines or systems are covered by the controls?
• How reliable are the controls?
• Will the controls identify exceptions in most instances?
• May the controls be overridden?
• Do the controls perform in practice and as intended?
• Does your institution periodically test the controls?

What are Other Internal Controls Considerations?

Answer the following questions to assess your institution’s risks and evaluate the internal controls.

• What is the trend of the risk? Is it increasing, decreasing, stable?
• What is your institution’s compliance culture?
• What is your institution’s risk appetite?
• Are your institution’s policies and procedures strong enough for a financial institution your size?
• Does your institution engage a monitoring system to enable tracking?

Post Compliance Risk Assessment

Your financial institution has completed and updated its Compliance Risk Assessment, now what are your next steps? Your institution should prioritize compliance resources based on the results of the risk assessment.  A current compliance risk assessment needs to be maintained and updated, as necessary, and should integrate changes from new and/or changed products, services, regulations and exam results.  Make sure to re-evaluate the compliance risk measurements and implemented controls on a regularly scheduled periodic basis. The optimal position to be in is for your institution to have an updated risk assessment in place allowing you to maintain a more positive stance with your regulator.